19 May 2005

Call for the Czar

It took me a minute to recognize the dark, intense man with the deep voice in the middle of the table at the front of the room. I peered into the gloom. It was Frank Sesno, CNN Correspondent and Professor of Communications at George Mason University , and he moderated the high-powered discussion at the National Press Club at noon yesterday.

I had been thinking about skipping it, but my Boss was trapped out in Virginia at the Big Operations Review, and he sent me a message on his Blackberry from the conference table asking me to attend. It popped up on my screen while I was doing something else, and I changed plans on the fly, leaving the building and dropping voicemails from my cell phone on the walk across town to the Press Building .

Sesno's tones were stentorian, and lent a certain gravity to the issue before the panel. The Dean of George Mason University and his leadership team were there at one of the front tables.

George Mason is an interesting institution. Those of us who live temporarily in Northern Virginia think of it as the local commuter college, and the kids think of it as the place they might attend if they don't get in someplace decent and had to stay in their own bedrooms.

It may not have much of an athletic program, not yet, anyway, or a cool party scene. But what it does have is an astonishing adjunct faculty that represents the people who make up the very fabric of the Government. A professor teaching telecommunications policy might actually be a former general counsel to the Federal Communications Commission, as was the guy next to me at the circular table by the wall.

I joked that I wanted to have something to fall against in case the coffee didn't work and I fell asleep. He looked at me and said he was just down from the North Woods, someplace called Dartmouth University .

George Mason cares about this issue because they have been vandalized, like so many of us. The University databases were recently ransacked for records containing personal information. The school joined the ranks of the academic and commercial activities that have had millions of social security numbers and credit card information purloined.

The Dean got a minute to talk, and he said they had to go public about their problem, though they could have kept quiet. This is part of a tidal wave of theft that threatens to swamp the system. He said that the culture of computers was such that everyone thought there was an office somewhere that took care of all these things. It is not true. We all have to be on guard against the thieves.

Frank acted just like he does on the television, naturally dividing his attention into thirty-second sound bites.

The headliners at the table were two heavy-hitting members of Congress. The biggest dog in the room was House Government Affairs Chair Tom Davis (R-VA) and House Homeland Security Committee member Zoe Lofgren, (D-CA).

In supporting roles were Paul Kurtz, former deputy to Richard Clark for critical infrastructure protection at the Office of Homeland Security, Jody Westby, managing director of PricewaterhouseCoopers, which didn't used to be a run-on name, and Business Roundtable Public Policy Director Marian Hopkins.

There was tension in the air, since Paul is one of the wunderkinds in town who labored mightily in the Critical Infrastructure Protection furor that came after 9/11, and was directed to implement a comprehensive, and some felt draconian, solution to protecting the nation's financial and information systems.

It made for some interesting bedfellows on the National Security side of the house, where I was sitting at the time. There was considerable push-back from industry, since security had not been built into operating systems like Windows. It cost money to make things secure, and no one wanted to pay. That is why the Apple system cost more.

But Apple owners don't get viruses, either. It is one of those pay-me-now or pay-me-later deals. We are now doomed to live in a Microsoft hell, where my sainted mother can get her computer infected with almost a thousand malicious software programs because she hasn't been trained to deal with the add-on firewalls and anti-virus programs we have to live with now.

Richard Clark knew about that, and what was worse. The national infrastructure was becoming all connected together, and even not-so-clever hackers could gain access to all manner of things. A kid in Oregon briefly controlled hydroelectric power in the Pacific Northwest , from his bedroom, they say. A disgruntled employee of a public service utility used to drive around in his truck, opening sewage floodgates at random for fun.

Clark directed the crafting of the original draft Homeland Security Presidential Directive that was going to bring things under control. For convenience, we called it HSPD-7. The first time I saw the thing, it was a phone-book sized text. The problem is that the Federal Government only owns about a tenth of the public infrastructure, and the directive would have cost billions to implement.

By the time the industry lobbyists got done with it, the final product was more like a glossy brochure. I'll tell you what I know about the story sometime, if you care. There are a lot of moving parts to this business.

Times have changed since HSPD-7 was issued, and the tide of assault on information systems has accelerated. The lunch was well-attended by media, and the provided lunch consisted of a nice chicken Caesar salad, rich brownies and hot coffee that didn't quite work.

The recent melt-down at the Department of Homeland Security hasn't helped things. Richard Clark had stormed out of the White House as his influence diminished with the establishment of the office of Infrastructure Analysis/Infrastructure Protection in Tom Ridge 's new organization. The level of influence was so diminished that there did not appear to be anyone in charge, and even if there were, all of them quit IA/IP two months ago.

House Resolution 285 was introduced to rectify the problem, and it was on the floor as the panel met. Rep. Zoe Lofgren, D-CA, cut to the chase quickly, since she had to leave and attend to it. She wants Cybersecurity highlighted as a major issue, and the position of Czar raised up out of the IA/IP organization to become Assistant Secretary for Cybersecurity at DHS.

She inserted a provision to that effect in the Bill.

Tom Davis was at his gruff best, his shock of brown hair wild and his eyes grave. As a former IT exec in Fairfax (I think he was with the PRI Corporation before he was elected) he concurs with the importance of the mission.

He disagreed with Zoe on where the Czar should be. He thinks the issue needs to be championed in the White House or at OMB. He also took the opportunity to slam DHS, saying they needed to get their own IT house in order before they tried to set standards for the rest of the Government. He thinks only the Office of Management and Budget can effectively mandate acquisition strategies in the inter-agency realm.

He also reiterated previous comments about the Federal Information Security Management Act (FISMA) saying that DHS received an "F" grade in the 2004 scorecard. He tried to be ominous, saying he was determined to link budget authority to the execution of funds in the future.

I may have just fallen off the turnip truck, but I have never seen a punitive budget cut improve any agencies posture in an acquisition strategy, but he apparently feels things are so bad that someone is going to have to be a poster child to get the proper attention paid to the issue.

Jody Westby thought things could be managed by requiring an IT security plan be included in FEC filings under the provisions of the Sarbaness-Oxley Act, which had been enacted to prevent ENRON-style fraud. It has  has had a practical consequence of wasting hours of my time to document my personal compliance with the law. I have defrauded no one since its passage, so maybe it is a good thing.

Jody said that a statement to the Commission that a compliant program was in place would be sufficient to protect us.

Marian Hopkins sniffed that an approach like that would not even apply to privately held companies, who did not have to file with the Commission and was thus problematic. She said her Business Roundtable had no preference for the mechanics of the process, except to insist that the time to act was now, since it is too late to act yesterday.

Things being what they are, she thought we ought to place a major emphasis on reconstitution, after the IT “ Pearl Harbor ” goes down as it inevitably will. I flinched. No Blackberry messages? No e-mail? No voicemail? Sewage on the golf course?

What about the hydroelectric grid?

Paul Kurtz has changed his spots since going from the Executive Branch to industry. He said that the private sector should have more time to comply. He tried to compete with the congressman as the voice of authority, and his time on the microphone seemed to irritate Mr. Davis.

I talked to Paul afterward. He looked confident, but I think he realized suddenly that he was no longer inside the government, and his opinion was just that. His. Not that of the White House.

I doubt if he remembered me, but I handed him my business card and welcomed him to the world of commerce.

Copyright 2005 Vic Socotra

www.vicsocotra.com

Close Window